Managing Enterprise Risk

We live, work and lead in turbulent times of constant change and increasing unpredictability. Corporations face faster business cycles, heightened security risks, more rapid product obsolescence, increased financial market volatility and amplified public scrutiny/exposure. And this on top of the increased vulnerabilities to supply chains, people, information systems, intellectual property, factories and other assets in this unsteady ecosystem. Momentum in the marketplace and ever increasing efficiency are not sufficient in the current environment. Even a reputation for creativity and trustworthiness is not enough. Today’s enterprise must be fundamentally adept at managing risk — operational and strategic, predictable and not — while still creating value. Leaders must be adept at assessing risks in the pursuit of value, balancing risk/reward where appropriate, prioritizing which risks to mitigate and which not.

In this roundtable we discussed what the major risks for corporations are, how to view them and deal with them as an organization, anticipating, mitigating, and making tradeoffs in the context of value creation. We focused on operational, reputational, technology, strategic and hazard risks for the enterprise, and not on solely financial risks (liquidity/currency/credit) or compliance. Within those risks, we naturally addressed information and IT related risks / thread sources, and also discuss the use of IT/data in assessing/mitigating/managing overall enterprise risks. We addressed such questions as:

How does your corporation think about risk management? What frameworks do you use? Do you use an integrated or coordinated approach to different types of risk or is that more left to each function/BU?

What are the most important risks in your business, who tracks them and how? Do you collect data on indicators, analyze and track through dashboards, visualization, etc.?

How do you approach known risks vs. unknown risks? And known unknowns differently from unknown unknowns?

How do you think about, differentiate and plan for firm-specific risks vs. systemic risks? In this very interconnected world, how do you separate risks of your partners and/or vendors from risks to you?

Given the importance, increased volume and heightened vulnerability of data and information, what are your approaches for dealing with information security / IT risk?

What are the best practices around identifying, assessing, prioritizing and protecting against different risks? What is IT’s role in this? How do you anticipate what’s coming, however improbable/unlikely it may seem? How do you assess vulnerability?

How do you address IT related risks and thread sources, which could trigger (accidentally or intentionally) specific IT systems vulnerabilities impacting availability, system integrity, information confidentiality or imposing a financial threat to the enterprise through other legal liabilities?

How does one build an environment where flexibility, adaptability and resilience are part of the DNA of an enterprise? How important is this in coping with risk? How important is IT resiliency and how do you achieve that?

How do you build risk awareness into the enterprise and then begin to drive change that can meaningfully reduce your risk profile without squashing value creation?